[Zope] Is there any way to turn off the publishing of external methods to the web in Zope?

Mark, Jonathan (Integic) jonathan.mark at integic-hc.com
Fri Jan 26 14:06:27 EST 2007


The relevant permission for an external method in 2.10.1 is "Access
contents information."

The problem is that the Zope application which calls my External Method
from a Python Script always runs unauthenticated. I turned off in the
ZMI my External Method's access for unauthenticated users, and left it
on for "Owner." However, now users who call the Python Script which
calls the External Method also get prompted for authentication.  

I need unauthenticated users to be able to run the calling Python
Script.

I wonder if there is some way for unauthenticated users of a Python
Script to be dynamically assigned a Zope role at the start of the Python
Script and then lose that role at the conclusion of the Python Script.
Is that inherently unsafe even if it is possible? 


-----Original Message-----
From: Andreas Jung [mailto:lists at zopyx.com]
Sent: Friday, January 26, 2007 10:36 AM
To: Mark, Jonathan (Integic); zope at zope.org
Subject: Re: [Zope] Is there any way to turn off the publishing of
external methods to the web in Zope?

--On 26. Januar 2007 10:29:08 -0500 "Mark, Jonathan (Integic)" 
<jonathan.mark at integic-hc.com> wrote:

> I have an external method which uses eval(). I would like to prevent
> anyone from calling this method from inside a URL, e.g.,
> myzopesite/myexternalmethod?myvar=deletemyfiles()
>
> Rather, I wish for only Zope objects such as Python Scripts to be able
to
> call this external method. Is there any way to turn off the publishing
of
> external methods to the web in Zope?

The standard Zope security also apply to external method. Configure the
View
permission according to your needs.

-aj


More information about the Zope mailing list